By Rozarani Reddy, Cyber Security Director, Evernorth Health Service
The financial and reputational consequences of a serious breach have fundamentally altered how enterprises govern cyber risk. According to a 2025 Cost of a Data Breach Report by IBM, the global average cost of a data breach now exceeds four million dollars, and in regulated sectors such as healthcare, regulatory penalties compound that exposure significantly. Frameworks including and cybersecurity disclosure rules have shifted accountability upward, placing boards and executive leadership in direct line of regulatory scrutiny.
This is no longer a technology management question. It is a business continuity, liability, and governance question, and the enterprises that treat it as anything less are systematically underestimating their exposure. The practical consequence of this shift is that security organisations must operate at a scale, speed, and strategic depth that legacy delivery models cannot sustain. That is precisely the gap that India’s Global Capability Centres (GCCs) have moved to fill.
From Back-Office Centres to Security Backbone
GCCs followed a recognisable path before arriving at their current strategic position. Through the 1990s they absorbed back-office and customer-facing functions. The following decade brought product engineering, analytics, and core industry services into scope. Over the last ten years, GCCs expanded into full-spectrum digital services encompassing cloud, AI, platform engineering, and risk operations. Cybersecurity matured along the same trajectory.
Functions that once resided in discrete teams handling identity management or incident logging have consolidated into enterprise-wide security operations Centres spanning time zones, zero trust architecture programmes, cloud security governance, and GRC frameworks operating at a global scale. Security is now embedded into the product, the platform, and the data pipeline as a foundational design requirement rather than a control appended after deployment.
Why Boards Cannot Ignore This Shift
Regulators across sectors now require continuous compliance demonstration rather than periodic attestation, and boards are expected to engage with cyber risk as a direct business variable. In healthcare, where patient data carries both regulatory consequence and direct human significance, a security failure extends well beyond operational disruption. It threatens care continuity and erodes institutional trust in ways that are difficult to recover. GCC-driven security command centres in this environment are not supplementary infrastructure. They are the operational architecture that determines whether an enterprise can absorb and recover from a serious incident.
The follow-the-sun model gives this practical form. Threat actors operate without regard for business hours, and the interval between initial detection and material damage is measured in minutes. GCCs in India provide the distributed, continuously staffed security capability that makes 24×7 monitoring, red and purple team exercises, and rapid incident containment viable at enterprise scale.
AI, Predictive Security and the Expanding Threat Surface
The most consequential expansion of GCC security responsibility is occurring at the intersection of artificial intelligence and threat operations, and it runs in both directions. Threat actors are now deploying AI offensively to accelerate reconnaissance, generate convincing phishing content at scale, automate vulnerability discovery, and adapt attack behaviour in near real time to evade detection. The speed and sophistication this introduces has materially shortened the window available for defenders to identify and contain an intrusion.
On the defensive side, AI-driven detection has progressed well beyond signature-based alerting. Behavioural analytics construct dynamic baselines across user activity, network telemetry, and application behaviour, surfacing deviations that static rule sets cannot identify. Predictive threat modelling draws on historical attack patterns and live threat intelligence to anticipate adversary movement before an intrusion progresses through its full kill chain. AI simultaneously introduces a governance and compliance dimension that most enterprises are still developing the frameworks to address.
Large language models deployed within enterprise workflows present real risks around prompt injection, data exfiltration through model outputs, and sensitive context embedded in training pipelines. Model poisoning represents an attack category that conventional SOC playbooks were not designed to detect. GCC security teams are actively constructing AI governance frameworks encompassing model risk management protocols, bias detection for security-relevant models, and audit trails that satisfy both internal risk appetite and external regulatory requirements. The governance of AI within security operations is an active programme requirement, not a deferred one.
Security as an Engineering Discipline
DevSecOps has become the operating model, with security controls embedded into CI/CD pipelines, API management layers, cloud landing zones, and data governance frameworks. GCC teams carry secure-by-design mandates across platform modernisation programmes, ensuring that multi-cloud architectures and AI model deployments are built with control integrity from the outset. The forward agenda encompasses real-time decision authority in incident management, zero trust architecture alignment across hybrid environments, and consistent third-party risk controls enforced uniformly across global supplier ecosystems.
India’s Talent Advantage as Strategic Differentiator
Underpinning all of this is India’s depth of engineering talent applied to security at scale. The country produces security professionals who combine rigorous foundational engineering with applied expertise across cloud, AI, threat intelligence, and compliance domains. That combination, available at the scale India offers, is genuinely scarce in the global talent market. No other geography currently offers this concentration of security depth, regulatory fluency, and operational continuity capability within a single delivery footprint. As threats grow more sophisticated and AI governance becomes a board-level accountability, GCC security teams operating from India are not merely supporting global enterprises. They are providing the strategic security leadership those enterprises depend on to remain viable.